From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kelly Dean Newsgroups: gmane.emacs.devel Subject: Re: Whose keys go on elpa/gnupg/pubring.gpg? Date: Thu, 08 Jan 2015 06:40:28 +0000 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1420699322 12155 80.91.229.3 (8 Jan 2015 06:42:02 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 8 Jan 2015 06:42:02 +0000 (UTC) Cc: emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jan 08 07:41:57 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y96mn-0006Pb-HF for ged-emacs-devel@m.gmane.org; Thu, 08 Jan 2015 07:41:37 +0100 Original-Received: from localhost ([::1]:44382 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y96mm-0003pa-M1 for ged-emacs-devel@m.gmane.org; Thu, 08 Jan 2015 01:41:36 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52666) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y96mZ-0003pV-HF for emacs-devel@gnu.org; Thu, 08 Jan 2015 01:41:24 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y96mW-0007m6-3q for emacs-devel@gnu.org; Thu, 08 Jan 2015 01:41:23 -0500 Original-Received: from relay5-d.mail.gandi.net ([2001:4b98:c:538::197]:47309) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y96mV-0007m1-U6 for emacs-devel@gnu.org; Thu, 08 Jan 2015 01:41:20 -0500 Original-Received: from mfilter4-d.gandi.net (mfilter4-d.gandi.net [217.70.178.134]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id 3053041C060; Thu, 8 Jan 2015 07:41:19 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter4-d.gandi.net Original-Received: from relay5-d.mail.gandi.net ([217.70.183.197]) by mfilter4-d.gandi.net (mfilter4-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id mV6zaZPdspKv; Thu, 8 Jan 2015 07:41:17 +0100 (CET) X-Originating-IP: 162.248.99.114 Original-Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net [162.248.99.114]) (Authenticated sender: kelly@prtime.org) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 16AE541C054; Thu, 8 Jan 2015 07:41:15 +0100 (CET) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4b98:c:538::197 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:181050 Archived-At: Stefan Monnier wrote: >> In that case, where do individual package maintainers' keys go? > > Nowhere: the signatures only certify that this is the file that was > created on elpa.gnu.org. That's only the case if elpa.gnu.org is the only repository whose key is on the keyring, since package-refresh-contents trusts any repository's key on the keyring to sign any other repository's archive-contents file. Again, technically not a vulnerability, but still not good.